US9197538B2

Movatterモバイル変換

Info

Publication number: US9197538B2
Application number: US14/061,988
Authority: US
Inventors: Chris Hopen; Bryan Sauve; Paul Hoover; Bill Perry
Original assignee: Aventail LLC
Current assignee: Quest Software Inc; Aventail LLC; SonicWall US Holdings Inc
Priority date: 2003-12-10
Filing date: 2013-10-24
Publication date: 2015-11-24
Anticipated expiration: 2024-12-10
Also published as: US9397927B2; US8005983B2; US8613041B2; US10003576B2; US20160294778A1; US20100024008A1; US8590032B2; US8615796B2; US20060143703A1; US20140053237A1; US20080162698A1; US20100036955A1; US20150052248A1

Abstract

Techniques for determining which resource access requests are handled locally at a remote computer, and which resource access requests are routed or “redirected” through a virtual private network. One or more routing or “redirection” rules are downloaded from a redirection rule server to a remote computer. When the node of the virtual private network running on the remote computer receives a resource access request, it compares the identified resource with the rules. Based upon how the identified resource matches one or more rules, the node will determine whether the resource access request is redirected through the virtual private network or handled locally (e.g., retrieved locally from another network). A single set of redirection rules can be distributed to and employed by a variety of different virtual private network communication techniques.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation and claims the priority benefit of U.S. patent application Ser. No. 11/251,592 filed Oct. 14, 2005 now U.S. Pat. No. 8,950,032, which claims the priority benefit of U.S. provisional application No. 60/619,151 filed Oct. 14, 2004. U.S. patent application Ser. No. 11/251,592 is also a continuation-in-part and claims the priority benefit of U.S. patent application Ser. No. 11/009,692 filed Dec. 10, 2004, now U.S. Pat. No. 8,255,973, which claims the priority benefit of U.S. provisional application 60/528,870 filed Dec. 10, 2003, the disclosures of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to the routing of messages from a client computer to one or more resources through a network. Various aspect of the invention may be used to ensure that messages sent from a client computer through a virtual private network (VPN) channel to a network are correctly routed to the appropriate resources.

2. Description of the Related Art

In the last decade, the use of electronic computer networks has greatly increased. Electronic computer networks may be found in businesses, schools, hospitals, and even residences. With these networks, two or more computing devices communicate together to exchange packets of data according to one or more standard protocols, such as the TCP/IP protocols. Usually, one computer, often referred to as a “client,” requests that a second computer perform a service. In response, the second computer, often referred to as a “server,” performs the service and communicates the resulting data back to the first computer.

As reliance on computers has increased, the demand to access computer resources from a variety of locations has increased as well. Conventionally, for example, a business user may have accessed resources on a corporate server through a desktop computer connected to the corporate server by a private, secure corporate network. Now, however, that user may wish to access the same corporate resources from a remote location over a public network, such as the Internet. For example, a user may need to access resources through a corporate network from a personal computer while at home or from a laptop computer while traveling. In order to securely access the resources, the user will typically employ an encrypted communication technique. The network formed by the remote computer and the network using encrypted communications are typically referred to as a Virtual Private Network (VPN).

A virtual private network can be formed using a plurality of different encrypted communication techniques. For example, a remote computer may implement a temporary or permanent dedicated communication software application to securely communicate with the network. The dedicated communication software application will then encrypt and send and messages to the network, and receive and decrypt messages received from the network. Some examples of this type of dedicated communication software application may embed encrypted messages in conventionally formatted data packets, so that the encrypted messages are invisible from outside of the secure communication channel. The virtual private networks that employ these embedded communication techniques are sometimes referred to as “tunneling” virtual private networks, as their communications may “tunnel” through a public network. Alternately, a remote computer may communicate with a network using a conventional browser application enhanced with additional “plug-in” software. With this type of virtual private network, the resources may be used by the network rather than the remote computer. The information obtained from using the resources will then be visible through the browser.

It also should be appreciated that, with some implementations of a virtual private network, the remote computer can communicate point-to-point with some or all of the nodes within the network. With still other implementations of a virtual private network, however, the remote computer may directly communicate with only a proxy software application. The proxy software application will then decrypt communications from the remote computer, and route them to the appropriate node within the network. With this type of virtual private network, the proxy software application will be hosted on a computer (or computing node) outside of a firewall protecting the network. The proxy software application will then communicate with network nodes through the firewall. Different types of virtual private networks may employ any desired encryption technique. For example, a virtual private network may implement communication channels secured using the Secure Socket Layers (SSL) protocol, the Hypertext Transfer Protocol Secure (HTTPS) protocol (which employs the Secure Socket Layers (SSL) protocol), or the Internet Protocol Security (IPSec) protocol.

While a virtual private network can provide a remote computer with secure access to resources through a network, it may be desirable for the virtual private network to ignore some resource access requests. For example, a user or software application running on the remote computer may request access to a resource that is simply unavailable to the network. Alternately, a user or software application running on the remote computer may request access to a resource that is available through the public network. For example, a company may maintain a network with the hostname “mycompany.com.” While this network may include several private resources, it also may include various portions that are publicly accessible, such as World Wide Web pages available through the domain name “www.mycompany.com.” Accordingly, it may be a waste of valuable bandwidth on a secure communication channel to access resources that can otherwise be obtained through the public network. If a resource cannot or should not be accessed through the virtual private network, then it may be preferable for the virtual private network to ignore a request to access the resource, and instead have the resource access request handled locally at the remote computer via a different network mechanism.

Also, virtual private networks will conventionally access resources through a network using specific addresses for the resource locations, such as Internet Protocol (IP) addresses. This access regimen allows the resource to be more easily identified. It would be desirable, however, to allow resources to be accessed using name identifiers, such as hostnames and domain names. A name may be consistently employed to access a resource, for example, even if the specific IP address changes.

SUMMARY OF THE PRESENTLY CLAIMED INVENTION

Various aspects of the invention relate to techniques for determining which resource access requests are handled locally at a remote computer, and which resource access requests are routed or “redirected” through the virtual private network. With some examples of the invention, for example, one or more routing or “redirection” rules are downloaded from a redirection rule server to the remote computer. When the node of the virtual private network running on the remote computer receives a resource access request, it compares the identified resource with the rules. Based upon how the identified resource matches one or more rules, the node will determine whether the resource access request is redirected through the virtual private network or handled locally (e.g., retrieved locally from another network). With various examples of the invention, a single set of redirection rules can be distributed to and employed by a variety of different virtual private network communication techniques. With still other embodiments of the invention, the network may compile a user-specific list of redirection rules according to a user's authority to access resources through the network. Thus, the redirection rules downloaded to the virtual private network node operating on a remote computer will reference only those resources that the user of the node has permission to access.

Further, various implementations of the invention will employ redirection rules that identify resources using names instead of, or in addition to, specific IP addresses. Thus, the redirection rules can be employed by applications running on a remote computer by resource names rather than specific addresses for resource locations. By comparing a resource name in resource access request with resource names in a list of redirection access rules, a virtual private network node operating on a remote computer can determine whether a resource access request is redirected through the virtual private network based only upon the name of the resource.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows one example of a conventional client/server network.

FIG. 2 shows an example of a computing device that can be used to implement a network appliance according to various examples of the invention.

FIG. 3 shows an example of a virtual private network system that may be employed according to various examples of the invention.

FIGS. 4A and 4B illustrate user interfaces that may be employed with various implementations of the invention to define a resource employed according to various examples of the invention.

FIG. 5 illustrates a user interface that may be employed to create an exclusion rule according to various examples of the invention.

FIG. 6 illustrates a flowchart showing the use of the redirection rules according to various examples of the invention.

FIG. 7 illustrates a flowchart showing a sorting procedure that may be employed to sort redirection rules according to various examples of the invention.

FIG. 8 illustrates a domain name object that may be employed according to various examples of the invention.

FIG. 9 illustrates a client that may be employed according to various examples of the invention.

FIG. 10 illustrates a flowchart showing a process that a client, employing a local forward Web server to establish a virtual private network between a computer and a network, may prepare redirection rules for implementation according to various examples of the invention.

FIG. 11 illustrates a flowchart showing how the client, employing a local forward Web server to establish a virtual private network between the computer and the network, uses the redirection rules to process requests for access to a resource.

FIG. 12 illustrates a flowchart showing a process that a client, employing an local circuit proxy to establish a virtual private network between a computer and a network, may use to prepare redirection rules for implementation according to various examples of the invention.

FIG. 13 illustrates a flowchart showing how the client, employing a local circuit proxy to establish a virtual private network between the computer and the network, may use the redirection rules to redirect resource access request from applications.

FIG. 14 illustrates the illustrates a flowchart showing how a process that a client, employing a local IP tunnel adaptor client to establish a virtual private network between a computer and a network, may use to prepare redirection rules for implementation according to various examples of the invention.

FIG. 15 illustrates the process by which the client will route outbound traffic.

FIG. 16 illustrates how the local IP tunnel adaptor client processes incoming traffic from the network.

FIG. 17 illustrates a flowchart showing the operation of a network based implementation of a reverse web proxy client to prepare redirection rules of implementation according to various embodiments of the invention.

FIG. 18 illustrates a flowchart showing how the network based implementation of a reverse web proxy client employs the redirection rules according to various examples of the invention.

DETAILED DESCRIPTION

Client/Server Configuration

Various embodiments of the invention will typically be employed to facilitate cooperation between a client and one or more servers in a network. As known in the art, a client/server configuration (including a Web based architecture configuration) occurs when a computing device requests the use of or access to a resource from another computing device. For convenience and ease of understanding hereafter, requests to use, obtain, or otherwise access a resource may generically be referred to simply as “requesting” a resource, while using, obtaining, or otherwise accessing a resource may generically be referred to simply as “obtaining” or “accessing” a resource.

Because the computing device responsible for providing the resource “serves” the computing device initially requesting the resource, the computing device responsible for providing the resource is often referred to as a “server.” The computing device requesting the resource is then commonly referred to as a “client.” Also, because a request for resources and the delivery of those resources may be relayed among a variety of computing devices having a client/server relationship, the client computing device initially requesting the resource is commonly referred to as the “end point” client.

FIG. 1 illustrates a conventional relationship between aclient101 and aserver103.

As seen in this figure, theclient101 may transmit the request for one or more resources to theserver103 over anetwork105. Thenetwork105 may be a private network, such as an intranet, or a public network, such as the Internet. Theserver103 may then provide theclient101 with the requested resources over thenetwork105.

It should be noted that, as used herein, a server may be considered a virtual device rather than a physical device. For example, the functions of theserver103 may be performed by a single computing device. Alternately, the functions of theserver103 may be performed by a group of computing devices cooperating together. Similarly, a client may be considered a virtual device. That is, one or more separate computing devices can cooperate together to function as a client. In many situations, a client may work with multiple servers in order to obtain a resource. For example, a client may submit the request for a resource to a first server, which may then relay the request to a second server. The second server may authenticate the identity of the client (or a user employing the client), to determine whether the client should be permitted may access or use the requested resource. Yet another server may then actually provide the resource to the client.

As used herein, a resource may be any type of object or service available through a server. For example, the resource may be a data file or a directory of data files. The resource may also be a service, such as an electronic mailing service, a database service, a document management service, a remote shell or terminal service, or the like. Further, a resource may be within a network, or it may be located outside of the network but accessible to the client through the network.

Example Computing Device

Various embodiments of a virtual private network according to the invention may be implemented using dedicated analog or digital electronic circuitry. More typically, however, the various features of the invention will be implemented by executing software instructions on a programmable computing device or computer. For example, each node in a virtual private network will typically be implemented by executing software instructions on a programmable computing device or computer. Accordingly,FIG. 2 shows one example of acomputer201 that can be used to implement various aspects of the invention.

Thecomputer system201 illustrated inFIG. 2 includes aprocessing unit203, asystem memory205, and asystem bus207 that couples various system components, including thesystem memory205, to theprocessing unit203. Thesystem memory205 may include a read-only memory (ROM)209 and a random access memory (RAM)211. A basic input/output system213 (BIOS), containing the routines that help to transfer information between elements within thecomputer system201, such as during startup, may be stored in the read-only memory (ROM)209. If thecomputer system201 is embodied by a special-purpose “server application”computer system201, it may further include, for example, anotherprocessing unit203, ahard disk drive215 for reading from and writing to a hard disk (not shown), amagnetic disk drive217 for reading from or writing to a removable magnetic disk (not shown), or anoptical disk drive219 for reading from or writing to a removable optical disk (not shown) such as a CD-ROM or other optical media.

A number of program modules may be stored on the ROM209, thehard disk drive215, themagnetic disk drive217, and theoptical disk drive219. A user may enter commands and information into thecomputer system201 through aninput device223, such as a keyboard, a pointing device, a touch screen, a microphone, a joystick or any other suitable interface device. Of course, thecomputer system201 may simultaneously employ a variety ofdifferent input devices223, as is known in the art. Anoutput device225, such as a monitor or other type of display device, is also included to convey information from thecomputer system201 to the user. As will be appreciated by those of ordinary skill in the art, a variety ofoutput devices225, such as displays, speakers and printers, may alternately or additionally be included in thecomputer system201.

In order to access other computing devices, thecomputer system201 should be capable of operating in a networked environment using logical connections to one or more remote computing devices, such as theremote computing device227. Thecomputer system201 may be connectable to theremote computer227 through a local area network (LAN)229 or a wide area network (WAN)231, such as the Internet. When used in a networking environment, thecomputer system201 may be connected to the network through aninterface233, such as a wireless or wired network interface card (NIC) or similar device. While theinterface233 is illustrated as an internal interface inFIG. 2, it may alternately be an external interface as is well known in the art. Of course, it will be appreciated that the network connections shown in this figure are for example only, and other means of establishing a communications link with other computers may be used.

A Virtual Private Network System

FIG. 3 illustrates one example of a virtual private network that may be used to implement various embodiments of the invention. As seen in this figure, the virtual private network includes a local area network (LAN)301, and one or more remotely locatedclients303. Eachclient303 communicates with thenetwork301 through anintermediate network305. In the illustrated example, theintermediate network305 is a public network, such as the Internet. With alternate examples of the invention, however, thenetwork305 may be a private network, such a corporate or institutional intranet. Aclient303 may be implemented by any suitable computing device or combination of computing devices. For example, aclient303 may be a programmable computer, such as theprogrammable computer201 described above. The computer may be, for example, a personal desktop computer, a laptop computer, or even a personal digital assistant or “smart” telephone.

As employed herein, the term “user” will refer to the individual using aclient303 to obtain one ormore resources307 through theserver system301. For some applications of the invention, aclient303 may be implemented on a computing device owned by its user or by the same corporation or institution maintaining the local area network301 (or by a related corporation or institution). With still other applications of the invention, aclient303 may be implemented on a computing device owned by a third party, and may even be provided in a publicly available kiosk. Aclient303 may obtain access to one ormore resources307 through thelocal area network301. In some situations, theresources307 may be included within thelocal area network301. Alternately, one or more of theresources307 may be available to thelocal area network301 over apublic network305. In either case, aclient303 accesses theresources307 through thelocal area network301.

Thelocal area network301 includes a number of components used to control the clients'303 access to theresources307. For example, thenetwork301 may include apolicy server309. Thepolicy server309 contains a list of each of theresources307, along with their location. For example, aresource307 may be identified by an Internet protocol (IP) address, a domain name, a host name, a universal resource locator (URL) address, or the like. Thepolicy server309 then includes a set of rules determining the conditions under which eachclient303 may or may not access eachresource307. Thepolicy server309 determines the conditions under which a user of theclient303 may obtain a requestedresource307. More particularly, thepolicy server309 administers policy rules specifying the conditions under which a user may obtain a requested resource. With various embodiments of the invention, these conditions may include both the identity of the user and the operating environment of theclient303. With various embodiments of the invention, thepolicy server309 also may validate authentication credentials submitted by a user with a request to obtainresources307 through thenetwork301. As used herein, the term “administrator” will refer to a person authorized to configure policy rules for enforcement by thepolicy server309.

As will be discussed in further detail below, various implementations of the invention allow a network administrator or other authorized person to provide inclusion instructions311 for the resource information in thepolicy server309, in order to create a set of inclusion redirection rules. Some embodiments of the invention may also allow a network administrator or other authorized person to provide exclusion instructions313 for the resource information in thepolicy server309, in order to create a set of exclusion redirection rules. These redirection rules may then be stored in theredirection rule server317. Accordingly, when aclient303 connects to thelocal area network301, theclient303 can obtain the redirection rules from theredirection rule server315, and subsequently employ those rules to determine which resource access requests are redirected to thenetwork301, and which resource access requests are handled locally by theclient303.

Thenetwork301 also may include one ormore resource servers317, which facilitates a client's access to one ormore resources307. Typically, aclient303 transmits some type of resource access request to thenetwork301 requesting that the use of or access to one ormore resources307 be provided through theresource server317. With various embodiments of the invention, theclient303 may request one or more resources from theresource server317 through a secure communication channel. For example, aclient303 may seek to establish a secure communication channel using any desired conventional security protocol, such as the Secure Socket Layers (SSL) protocol, the Hypertext Transfer Protocol Secure (HTTPS) protocol, (which employs the Secure Socket Layers (SSL) protocol), the Internet Protocol Secure protocol (IPSec), the SOCKet Secure (SOCKS) protocol, the Layer Two Tunneling Protocol (L2TP), the Secure Shell (SSH) protocol, or the Point-to-Point Tunneling Protocol (PPTP). Further, theclient303 may seek to establish a secure communication channel using a secure remote computer connection technique, such as Windows Remote Desktop, Citrix, Virtual Network Computing (VNC) or other “screen-scraping” technology.

It also should be noted that theresource server317 shown inFIG. 3 is merely representative of any combination of one or more servers that can provide a requestedresource307. Thus, theresource server317 may be any server or combination of servers responsible for providing one or more resources323 toclients303. For example, theresource server317 may be a Domain Name Service (DNS) server, an electronic mail server, a server that maintains a database, a print server, a data storage server, a file or document management server, a Voice over Internet Protocol (VoIP) server, a remote shell or terminal service or the like. With some implementations of the invention, theresource server317 may only be indirectly responsible for providing requested resources. For example, theresource server317 may be a proxy server providing a connection to yet another server through, for example, a private network, which will actually provide the requested resources to theclient303. Thus, theresource307 being sought by theclient303 through thenetwork301 does not have to be in physical or logical proximity to theresource server317. It also should be appreciated that theresource server317 may be responsible for providing a variety of different types of resources, including any combination of data files and services.

Defining Resources

Theresources307 may include Web resources, network resources, and file system resources. Web resources will typically be Web-based applications or services that are accessed using HTTP or HTTPS. For example, Web resources may include Microsoft Outlook Web Access and other Web-based e-mail programs, Web portals, corporate intranets, and standard Web servers. With various examples of the invention, traffic to these Web resources may be proxied through a Web proxy service, i.e., a secure gateway through which users can access private Web resources from the Internet. A Web resource can be defined in various ways.

Network resources are then client/server enterprise applications that run over TCP/IP, including applications that use UDP. Examples of network resource may include thin-client applications such as Citrix, full client/server applications such as Microsoft Outlook, Lotus Notes, or SAP, or terminal servers. With various examples of the invention, network resource will be defined by specifying a host name, an IP address or IP range, a subnet IP address, a WINS Domain, or a DNS domain. Network resources can also be used to define a network object containing multiple Web resources (such as a domain), or to define a network object that can be used to control access based on the source of a connection request. The following list explains the syntax used to define each of these resource types. It should be noted that host names can be fully qualified or unqualified.


URL Type Examples:
Standard URL--http://host.example.com/index.html
Standard URL with port number http://host.example.com:8445/index.html
URL for secure site--https://host.example.com/index.html
URL containing IP address--http://192.0.34.0/index.html
Resource Type Examples
Host name--bart.private.example.com
Host IP address--192.0.34.72
IP range--192.0.34.72-192.0.34.74
Subnet--192.0.34.0/255.255.255.0
Domain name--private.example.com
Windows domain--example or example.com

File system resources may then include Windows network servers or computers containing shared folders and files that users can access via theresource server317. A file system resource can be defined using, e.g., a specific file system share by a UNC path or an entire Windows domain. Defining an entire Windows domain gives authorized users access to all the network file resources within the domain. A specific file system resource can be an entire server (for example, \\ginkgo), a shared folder (for example, \\john\public), or a network folder (\\ginkgo\news). A file system resource can also reference a user's personal folder on the network. This feature allows a single shortcut to be created that theresource server317 can dynamically reference as a personal folder for a current user.

FIGS. 4A and 4B illustrate user interfaces that may be employed with various implementations of the invention to define a resource. For example, from a navigation menu, a user may obtain access to the Add/EditResource interface page401. To name the new resource, the administrator can type the name for the resource in theName field403. Then, in theDescription field405, the administrator can type a descriptive comment about the resource. Completing the Add/EditResource interface page401 then summons the ResourceDefinition interface page407. In this page, an administrator can employ the field groups409-419 to provide the appropriate information to define the resource. For example, in the Hostname field group409 orIP field group411, the administrator can enter a host name (it can be qualified or unqualified) or type the full IP address for the host in dotted decimal form (w.x.y.z), respectively. An IP range typically identifies a partial range of computers within a subnet. Under the IP range area, the IP addresses may be entered at the beginning of the range (From) and the end (To) of the IP range in dotted decimal form (w.x.y.z). A subnet is a portion of a network that shares a common address component. Accordingly, a subnet can be entered in theSubnet field group413 by typing the IP address and Subnet mask in dotted decimal form (w.x.y.z). A domain encompasses one or more hosts, so a Domain can be entered into theDomain field group415 by typing the name of the domain (such as example.com).

To define a Web resource, the administrator can select a URL for the resource and then type the appropriate URL into theURL field group417. The administrator will typically include the http:// or https:// protocol identifier. For file share resources, the administrator will define a specific file system resource by entering a UNC path into theUNC field group419. This can be an entire server (for example, \\ginkgo), a shared folder (for example, \\john\public), or a network folder (\\ginkgo\news). To reference a user's personal folder on the network, the administrator will activate theNetwork Share Button421 and then type a UNC path containing the variable XXX_Username XXX into theUNC field group419.

Defining a Redirection Rule

Once aresource307 has been defined, then an administrator can define one or more redirection rules for that resource. With various examples of the invention, the redirection rules can advantageously be associated with resources definitions that already have been created for use by thepolicy server309. With other examples of the invention, however, the redirection rules can be generated using resource definitions separate from those used by thepolicy server309.

With various examples of the invention, the redirection rules may include both inclusion redirection rules and exclusion redirection rules. An inclusion redirection rule will instruct theclient303 to redirect a resource access request for the designated resource to thenetwork301. An exclusion redirection rule will then instruct theclient303 to handle a resource access request for the designated resource locally. With various examples of the invention, a redirection rule will automatically be created for each resource defined for thepolicy server309. Alternately, various examples of the invention may require an administrator to specifically create an inclusion redirect rule for each desired resource. Typically, an administrator will specifically create an exclusion rule for a resource.

For example,FIG. 5 illustrates auser interface501 that may be employed to create an exclusion rule. As seen in this figure, theuser interface501 includes afield503 in which the administrator can define a resource for exclusion from redirection in aclient303. With various examples of the invention, the administrator can define the resource to be excluded using host names, domain names, or IP addresses.

Various examples of the invention also will allow “wildcard” characters to be used in defining resources for inclusion redirection rules and exclusions redirection rules. For example, some implementations of the invention may support the use of the character ‘*’ as a wildcard for multiple characters in a resource definition. In addition, some examples of the invention may also support the use of the ‘?’ character as a single-character wildcard. Thus, using these wildcard characters, the hostname “j*.mycompany.com” would match each of the hostnames “j.mycompany”, “jon.mycompany.com” and “jscott.mycompany.com”. Similarly, the hostname “j??.mycompany.com” would match the hostname “jon.mycompany.com” but not the hostname “j.mycompany.com” or “jscott.mycompany.com”, because each ‘?’ must correspond to a single character. The use of these types of wildcard characters is beneficial where, for example, it is undesirable to use the bandwidth of the virtual private network to access resources that are otherwise publicly available. For example, the administrator may define a resource associated with a company's private network, such as myCompany.com. It would still be desirable, however, to route traffic to the company's public web servers (e.g., www.myCompany.com, www2.myCompany.com, and www3.myCompany.com) locally from the client rather than through thenetwork301. With various examples of the invention, an administrator thus can avoid this undesired redirection by add an exclusion redirection rule for the resource defined as “www*.myCompany.com.”

Client Use of Redirection Rules

Once the redirection rules have been created, they are then passed from the redirection rulesserver315 to the client as a list. In the list, the redirection rules may be presented as a non-sorted list of strings having any desired format. For some of the examples of the invention, however, the redirection rule list may include a non-sorted list of strings having the following rule type and format:


	Hostname Rules	Rule String Format

	Qualified	“HOSTNAME=morty.in.mycompany.com”
	Unqualified	“HOSTNAME=morty”
	Wildcard	“HOSTNAME=morty*”
	Exclude	“EXCLUDE_HOSTNAME=“morty*”


Domain Rules	Rule String Format

Domain	“DOMAIN=in.mycompany.com”
Wildcard	“DOMAIN=*.in.mycompany.com”
Exclude	“EXCLUDE_DOMAIN=“in.mycompany.com”


	IP Address Rules	Rule String Format

	Address	“HOSTNAME=192.168.1.1”
	Exclude	“EXCLUDE_HOSTNAME=192.168.1.1”


	IP Subnet Rules	Rule String Format

	Subnet	“SUBNET=192.168.0.0, 255.255.0.0”
	Exclude	“EXCLUDE_SUBNET=192.168.0.0,
		255.255.255.0”


IP Address Range Rules	Rule String Format

Domain	“RANGE=192.168.1.0, 192.168.1.100”
Exclude	“EXCLUDE_RANGE=192.168.1.0,
	192.168.1.100”

The use of the redirection rules will be described in more detail with reference to the flowchart illustrated inFIG. 6. Initially, instep601 the client downloads the redirection rules from the server in a list. Next, instep603, the client sorts the input rules based upon precedence. With various embodiments of the invention, the order of precedence is arranged from most specific identification information to the least specific identification information. One example of a sorting procedure that may be employed by various embodiments of the invention is illustrated in more detail inFIG. 7.

As seen in this figure, instep701 all redirection rules that specify at least one IP address are converted into the format corresponding to the IP address range rules. Thus, the IP address rules remain unchanged, as these rules specify a range of one IP address. The IP subnet rules, however, are transformed into an IP address range that includes all of the addresses in the subnet. The list of rules that specify at least one IP address are then sorted based upon, e.g., range size from smallest to largest. Next, instep703, any exclude rule having a range that matches an include rule is given a higher precedence than the corresponding include rule. Next, the rules that include at least one domain name are sorted. More particularly, instep705, adomain name object801 is created for each domain name rule. As illustrated inFIG. 8, thedomain name object801 may have alabel count field803, awildcard index field805, and one or more flag fields807. In the illustrated example, thelabel count field803 includes 8 bits, thewildcard index field805 includes 16 bits, and the flag fields807employ 8 bits.

The labeledcount field803 records the number of labels in the domain name for the domain name rule. For example, the name “mycompany.com” would have two labels, while the name “corporate.avantail.com” would have three labels. In thewildcard index field805, a bit is set for each label without wild cards, with the highest order bit corresponding to the right-most label. For example, a redirection rule with the resource name “in.mycompany.com” would have an index of 7 (binary 111). A redirection rule with the resource name “?n.mycompany.com”, on the other hand, would have an index of 6 (binary 110). The domain name *.av*.com would then have an index of 4 (binary 100), while a redirection rule with the resource name “in.mycompany.*” would have an index of 3 (binary 011). The flag fields then include a flag indicating when the domain name has no partial match (i.e., the name begins with “.”), and a flag indicating whether the domain name was used in an exclude rule or an include rule, such that the exclude rule takes precedence over the include rule.

Accordingly, instep707, the domain names are sorted according to their corresponding domain name objects. Thus, a first domain name having a higher label count than a second domain name would take precedence over the second domain name. If two domain names have the same label count, then the domain name with the higher wild card index will take precedence. If the label count, wildcard index, and flag values match for two or more domain names, then the domain names are sorted alpha-numerically. In this manner, each rule is assigned an order of precedence in which it will be implemented by aclient303.

Returning now toFIG. 6, the sorted rules or output for use by the client in step605. With various examples of the invention, the sorted rules may be output as three separate lists: the list of IP address rules, sorted according to their IP address ranges, a list of host name rules sorted as described in detail above, and a third list of domain rules, which also have been sorted according to the process discussed in detail above. During its operation, aclient303 will employ the rules to determine which resource access messages are routed through the virtual private network, and which ones are handled locally. More particularly, instep609, the resource identified in a resource access request is compared with the lists of sorted rules, to determine if the resource identifier referenced in the resource access message matches a resource rule. For example, if the resource access request includes an IP address to identify a resource, then that IP address is sequentially compared with the IP addresses referenced in the IP address rules. Similarly, if a resource access request includes a domain name or a host name to identify a resource, then that request is sequentially compared to the corresponding host name rule list or domain rule list, respectively. It should be noted that, if the resource access request includes both a domain name and a host name to identify a resource, then the host name should be compared with the host name rules list before the domain name is compared with the domain name rules list. For either a domain name resource identifier or a host name resource identifier, each element of the corresponding rule list is traversed from most specific (front) to least specific (end).

If the resource identifier is matched with a resource reference in an include rule, then the comparison process returns a successful match. If the resource identifier matches an exclude rule, then the comparison process stops traversing the list, and returns an unsuccessful match to the client. If the comparison process fully traverses the list without matching the resource identifier to a rule, then an unsuccessful match also is returned.

Example Client

FIG. 9 schematically illustrates aclient303 that may be employed by various examples of the invention. As seen in this figure, theclient303 is hosted on acomputer901, such as thecomputing device201 described in detail above. In addition to hosting theclient303, thecomputer901 may also host a number ofapplications903 that will generate resource access requests. Theclient303 then includes arule processing module905 and arouting module907. Therule processing module905 obtains the redirection rules from theredirection rule server315, and orders the rules as described in detail above. Therouting module907 then applies the redirection rules to routing the resource access requests from theapplications903.

Local Forward Web Server Client

FIG. 10 illustrates a process that aclient303A, employing an local forward Web server to establish a virtual private network between thecomputer901 and thenetwork301, may use to prepare redirection rules for implementation according to various examples of the invention. As will be appreciated by those of ordinary skill in the art, this type of client employs some type of additional software, such as JavaScript or ActiveX programs, to employ a browser application (such as Microsoft Internet Explorer) as a proxy server to establish a secure connection with thenetwork301.

Initially, instep1001, theclient303A will download the redirection rules from the redirection rulesserver315. Next, in step1003, therule processing module905 will identify one or more client environmental critical exclusions for use in sorting the downloaded rules. These environmental critical exclusions may include, for example, addresses that are employed locally on theclient303A for specific purposes, such as an address for a network gateway used by the computer hosting theclient303A. As will be appreciated by those of ordinary skill in the art, these exclusions will address information employed by the local host of theclient303A for which theclient303A should have no involvement.

Next, instep1005, therule processing module905 sorts the list of rules downloaded from theredirection rule server315, and outputs the sorted rule list instep1007. Instep1009, therouting module907 obtains an existing browser Web proxy setting or proxy auto configuration (PAC) file that is used to configure the browser as a proxy server. As known by those of ordinary skill in the art, a proxy auto configuration file provides the browser with proxy configuration information from a remote JavaScript file, rather than requiring that the information be statically entered. Next, instep1011, therule processing module905 obtains an evaluation logic JavaScript template. This JavaScript template provides the logic that the PAC file will use to evaluate a resource access request based upon the redirection rules. Then, instep1013, therule processing module905 employs the evaluation logic JavaScript template merged with rules from1007,1009 and1011 respectively, to create a new browser web proxy setting or PAC file. Next, instep1015, therule processing module905 initializes the local forward proxy server. Then, instep1017, therule processing module905 registers the PAC file with the browser, in order to enable redirection of VPN resource access requests to the local web proxy server client according to the programming logic included in the new PAC file.

FIG. 11 illustrates how theclient303A, employing a local forward Web server to establish a virtual private network between thecomputer901 and thenetwork301, uses the redirection rules to process requests for access to a VPN resource. Initially, instep1101, the Web browser receives a request to access a resource from, e.g., anapplication903 or user. The resource access request may be, for example, in form of a URL entered into the address field of the browser. Next, instep1103, therouting module907 provides the resource identifier used in the resource access request to the PAC file. Then, instep1105, the PAC file executes its JavaScript program to evaluate the resource identifier. Specifically, instep1107, the JavaScript program determines whether the resource identifier is a specific IP address, or a name, such as a host name or domain name. If the resource identifier includes an IP address, then, instep1109, the JavaScript program compares the IP address with the IP address rule list, to determine if the IP address matches a resource identified in the IP address rules list. If, however, the resource identifier is a name, then, instep1111, the JavaScript program matches the name against the host name rule list, the domain name rule list, or both, as described in detail above.

Next, instep1113, the JavaScript program determines whether or not the resource identifier matched a resource specified in a redirection rule. If it did, then instep1115, the routing module redirects the request for resources to a local web proxy server associated with the virtual private network. More particularly, instep1117, local web proxy server determines whether theclient303A is employing an external proxy server. If the client is not using an external proxy server, then instep1119, the local web proxy server forwards the resource access request directly to the VPN server in thenetwork301 instep1119. If, however, theclient303 is using an external proxy server, then instep1121 the local web proxy server forwards the URL indirectly to the VPN server in thenetwork301 via the external proxy.

If the JavaScript program determines that the resource identifier has not matched a rule, then instep1123 it determines whether or not the PAC file is part of a chained script instep1123. More particularly, the browser may be employing one or more additional PAC files for purposes unrelated to implementing theclient303A. Accordingly, if the PAC file used to enforce the redirection rules is part of a chain of scripts for operating the browser, then instep1125 therouting module907 calls the next script for execution by the browser. If, however, the clients PAC file is not part of a chained script, then therouting module907 makes the determination not to redirect the resource request message instep1127.

Local Circuit Proxy Client

With some examples of the invention, aclient303B may use a local circuit proxy to establish a virtual private network connection between thecomputer901 and thenetwork301. With this type of localcircuit proxy client303B, theclient303B may forward a resource access request to thenetwork301 only if the request includes a virtual or “spoofed” IP address. Accordingly, theclient303B will map a spoofed IP address to the actual address for the resource, and provide the spoofed IP address to theapplications903 for use.

FIG. 12 illustrates a flowchart showing how a process that aclient303B, employing a local circuit proxy to establish a virtual private network between thecomputer901 and thenetwork301, may use to prepare redirection rules for implementation according to various examples of the invention. Initially, instep1201, therule processing module905 downloads the redirection rules from theredirection rule server315. Next, instep1203, therule processing module905 obtains client environmental critical exclusions, which are used to determine exclusions for when the rules will be employed, as discussed in detail above. Next, instep1205, therule processing module905 accepts the redirection rules, and sorts them instep1205 as also described in detail above. Instep1207, therule processing module905 initializes the VPN agent circuit proxy employed by this type of virtual private network access method. Then, instep1209, therule processing module905 initializes the WinSock Layered Service Provider. The WinSock Layered Service Provider is a conventionally known interface tool provided by the WinSock architecture in Microsoft Windows operating system software available from Microsoft Corporation of Redmond, Wash., and thus will not be discussed here in further detail. Lastly, instep1211, therule processing module905 enables the local circuit proxy for VPN resource redirection.

FIG. 13 then illustrates a flowchart showing how theclient303B, employing a local circuit proxy to establish a virtual private network between thecomputer901 and thenetwork301, may use the redirection rules to redirect resource access request fromapplications903. First, instep1301, a WinSock application is initiated. Next, instep1303, therouting module907 identifies an operation requested by anapplication903 through the WinSock application instep1303. If the operation is an attempt to connect to the identified resource, then the Layered Service Provider receives the connection request instep1305. Then, instep1307, the Layered Service Provider determines whether or not the resource access request includes a spoofed VPN IP address. If it does, then instep1309 the Layered Service Provider references the host name from the spoof list instep1309. Subsequently, instep1311, the routing module redirects the resource access request to the on-client VPN circuit proxy server instep1311. Instep1313, the local circuit proxy client forwards the request for resources to a301 circuit proxy server associated with the virtual private network. More particularly, instep1315, the local circuit proxy client determines whether theclient303B is employing an external proxy server. If the client is not using an external proxy server, then instep1317, the local circuit proxy client forwards the resource access request directly to the VPN server in thenetwork301 instep1119. If, however, theclient303 is using an external proxy server, then instep1319 the local circuit proxy client forwards the URL indirectly to the VPN server in thenetwork301 via the external proxy.

Returning to step1307, if the resource access request does not contain a VPN spoof IP address, then, instep1321, therouting module907 matches the resource identifier referenced in the resource access request against the IP address rules list. If therouting module907 determines that there is a rule match instep1323, then the Layered Service Provider returns to step1311 to redirect the resource access request to the on-client VPN circuit proxy server. If, however, the resource identifier does not match an IP address rule, then the resource access request is not redirected to the VPN instep1323.

Returning to step1303, if therouting module907 determines that the resource access request is a domain name server (DNS) query or a WINS name server query, then, instep1325, therouting module907 provides the resource access request to the Winsock Namespace Service Provider instep1325. Like with Winsock Layered Service Provider, the WinSock Namespace Service Provider is a conventionally known interface tool provided by the WinSock architecture in the Microsoft Windows operating system software available from Microsoft Corporation of Redmond, Wash., and thus will not be discussed here in further detail. Next, the Namespace Service Provider determines instep1327 whether the resource identifier exists in a spoof list. Next, instep1329, if the Namespace Service Provider determines that the resource identifier does not exist in the spoof list instep1329, then instep1331 the Namespace Service Provider compares the resource identifier to the host name and domain name rule lists as discussed in detail above. Instep1333, the Namespace Service Provider determines if the resource identifier has matched a rule. If it has, then instep1335, the Namespace Service Provider generates a spoofed VPN IP address and adds the host name IP mapping to the spoof list. Then, instep1337, it returns the spoofed VPN IP address. If, however, the Namespace Service Provider determines that the resource identifier has not matched a rule instep1333, then, instep1339 it allows normal DNS or WINS query processing by theclient303B. Returning to step1329, if the Namespace Service Provider initially determines that the resource identifier already exists in the spoofed list, then it proceeds immediately to step1337 and returns the spoofed VPN IP address.

Local IP Tunnel Adapter Client

FIG. 14 illustrates the illustrates a flowchart showing how a process that aclient303C, employing a local IP tunnel adaptor client to establish a virtual private network between thecomputer901 and thenetwork301, may use to prepare redirection rules for implementation according to various examples of the invention. This type of client can securely connect to thenetwork301, such that the client can not only send outbound communications to thenetwork301, but can additionally receive inbound communications that were not initiated by theclient303C.

FIG. 15 illustrates the process by which theclient303C will route outbound traffic. Additionally, instep1501, anapplication903 running on theclient computer901 issues some type of resource access request. This request is intercepted by the transport device interface (TDI) driver instep1503. Instep1505, the TDI driver determines whether the resource access request was a TCP SYN message, a UDP send message, or an ICMP request message. If the resource access request did not include any of these message types, then, instep1507, thecomputing device901 allows a direct TCP/IP transmission of the message. If, however, the resource access request was a TCP connect message, a UDP send message or an ICMP request message, then, instep1509, theclient303C determines whether the IP address in the resource access request is a known IP address. More particularly, theclient303C examines the IP address, to determine whether or not it has already processed the IP address. This step is optional, and is intended to optimize the operation of theclient303C by avoiding unnecessary further analysis of the IP address if those analyses have already been made.

Next, instep1511, therouting module907 determines if the IP address referenced in the request access request has been included in a system exclusion list. A system exclusion list may be used to identify those IP addresses that are being used for an essential purpose by thecomputing device901, and thus avoided by theclient303C. For example, the IP address of a gateway being used by thecomputing device901 should note be handled by theclient303C.

If the IP address referenced in the resource access request is in the system exclusion list, then, in1513, therouting module907 sets the IP address as a “known” IP address. Thus, the next time the IP address is used in a resource access request it will be identified by therouting module907 instep1509. If, however, the IP address referenced in the resource access request is not included in the system exclusion list, then instep1515 the routing module attempts to match the IP address referenced in the resource access request with a corresponding IP address redirection rule. If therouting module907 cannot match the reference IP address against a corresponding IP address redirection rule, then again the IP address is identified as a “known” IP address instep1513.

If, however, therouting module907 does match the referenced IP address with a corresponding IP address redirection rule, then, instep1517, therouting module907 checks the VPN look aside table to determine if a corresponding route has been saved in the table for this address. The process by which the VPN look aside table is created and maintained will be discussed in further detail below, with respect to the method in which theclient303C handles inbound communication. If an entry for the referenced IP address does not exist in the route table entry, then therouting module907 adds an entry for the referenced IP address to VPN look aside table in step519. Once the entry has been made (or, if therouting module907 determines that an entry already existed in step1517), instep1521 therouting module907 determines whether a corresponding route exists in the system routing table. As will be appreciated by those of ordinary skill in the art, the system routing table is the routing table used by the operating system of thecomputer901 to assign a TCP/IP communication route instep1507. If an entry for the referenced IP address does already exist in the existing routing table, then the IP address is identified as a “known” IP address isstep1513. Otherwise, a route for the referenced IP address is added from the NG route table to the system route table instep1523. Again, after the entry for the IP address has been made in the system route table, then instep1513 the routing module designates the referenced IP address as a “known” IP address isstep1513.

FIG. 16 illustrates how the local IP tunnel adaptor client processes incoming traffic from thenetwork301. As seen in this figure, instep1601, therouting module907 initially determines whether or not eh incoming message is a reply to a DNS or a WINS request. If it is a reply to a previously sent DNS or WINS request then instep1603 therouting module907 attempts to match the name referenced in the incoming message against a corresponding redirection rule in the host name redirection rule list. If theprocessing module907 cannot match a name in the DNS/WNS reply message to a host redirection rule in the host redirection rule list, then instep1605 therouting module907 determines whether the reply is a reply to a DNS request. If it is, then therouting module907 attempts to match a domain name reference in the incoming message against a corresponding domain name redirection rule in the domain name redirection rule list.

If therouting module907 is able to match the name referenced in the incoming message in either

steps

1603 or1607 then, instep1609, therouting module907 extracts the IP address for the referenced host or domain name from the address record contained in the DNS/WINS reply message. Then, instep1611, therouting module907 adds the extracted IP address as the entry to the VPN look aside table corresponding to the reference name. In this manner, therouting module907 creates a VPN look aside routing table based upon replies to WINS/DNS requests submitted to thenetwork301.

Once this process has been completed, or if the incoming message was not a reply to a DNS or a WINS request, instep1613 therouting module907 determines whether the resource referenced in the incoming message is a TCP SYN value, a UDP datagram, or an ICMP value. If it is not any of these value types, then thecomputer901 handles the incoming message in a regular manner. Otherwise, instep1515, therouting module907 checks the VPN look aside table to determine if the address referenced in the incoming message has a corresponding entry. If it does not, then a routing entry for the IP address is created in the NG routing table instep1617. Once a corresponding routing entry exists in the VPN look aside table, therouting module907 determines whether a route for the IP address referenced in the incoming message has a corresponding entry in the system routing table. If it does not, then an entry for the IP address is made in the system routing table instep1621.

Network-Based Implementation of a Reverse Web Proxy Client

FIG. 17 illustrates the operation of a network based implementation of a network reverse web proxy server to prepare redirection rules of implementation according to various embodiments of the invention. As will be appreciated by those of ordinary skill in the art, this type of reverse web proxy client creates a “thin” client on thecomputer901. All of the functions related to theclient303D; other than the dealing of the processing result, take place in thenetwork301.

Additionally, instep1701, theclient303D begins the proxy service. Next, instep1703, therule processing module905 reads the rules from theredirection rule server315. It then sorts the rules as described in detail above instep1705, and outputs the rules instep1707. Instep1709 theclient303D the301 network reverse proxy server, and instep1711, the process is enabled.

FIG. 18 then illustrates a method whereby arouting module907, running in thenetwork301, employs the redirection rules according to various examples of the invention. As seen in this figure, instep1801, therouting module907 receives an incoming URL response from aresource server315. Next, instep1803, therouting module907 checks to determine whether the incoming URL is part of a alias attribute associated with theresource307. Next, instep1805, therouting module907 checks to determine whether the URL contains a short host name attribute associated with theresource307. If an alias or short name matched, then instep1807 therouting module907 rewrites the URL relative to301 server. Otherwise, instep1809, the routing module determines whether the URL contains a host name. If it does not contain a name, then the IP address referenced in the URL is matched against the IP address redirection rule list instep1811. Otherwise, the name in the URL is matched against any corresponding name in the host name redirection rule list and the domain name redirection rule list instep1813. Instep1815, therouting module907 determines whether or not the resource identifier referenced in the URL (either the IP address or name) was matched to a rule in one of the redirection rule lists. If it was, then therouting module907 rewrites the URL instep1807. Otherwise, instep1819, therouting module907 allows the response to complete without a URL rewrite.

CONCLUSION

While the invention has been described with respect to specific examples including presently preferred modes of carrying out the invention, those skilled in the art will appreciate that there are numerous variations and permutations of the above described systems and techniques that fall within the spirit and scope of the invention as set forth in the appended claims. For example, while particular software services and processes have been described as performing various functions, it should be appreciated that the functionality of one or more of these services and processes may be combined into a single service or process, or divided among additional services and processes.